2022.10.24 17:04 "[Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
-
2022.10.26 20:50 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Sulau
- 2022.10.26 21:49 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
-
2022.11.04 21:12 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
- 2022.11.04 23:09 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Kurt Schwehr
2022.11.04 21:12 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
Hi Su and libtiff folks,
We just received a slew of 16 libtiff CVEs reported to us by a large customer - this is in addition to CVE-2022-3570 I previously wrote about. I see most of these CVEs are fixed in the libtiff master branch but not yet in an official release.
I have two questions:
- Can anyone provide an update on an estimated release timeframe for a libtiff version (presumably 4.5.0) containing all the CVE fixes that have been successfully integrated into libtiff master branch since release of 4.4.0?
- For newly reported CVE-2022-34266 in https://nvd.nist.gov/vuln/detail/CVE-2022-34266: I'm confused about this one. It states there's a vulneratbility in TIFFFetchStripThing in tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2, and states it's a different vulnerability than CVE-2022-0562. The NVD report for CVE-2022-34266 doesn't contain any links to a libtiff GitLab issue describing the vulnerability, but I do see that the libtiff fix for CVE-2022-0562 was released in 4.4.0. Can you please let me know if CVE-2022-34266 is a new vulnerability that's different from CVE-2022-0562 as stated in the NVD CVE report?
Thank you,
ellen